Towards a sustainable solution to open source sustainability

Towards a sustainable solution to open source sustainability Tobie Langel, Principal, UnlockOpen

The Heartbleed Bug

Heartbleed bug 💔 WHAT WAS HEARTBLEED? Critical vulnerability that affected the OpenSSL library in 2014. 🔐 WHAT IS OPENSSL? The OpenSSL library is responsible for securing network communications in UNIX systems. 🌍 WHY IS OPENSSL SO IMPORTANT? It powers the majority of internet servers.

Heartbleed bug impact 👩⚕ 4.5 MILLION The number of US patient records whose confidentiality was compromised. 💰 $500 MILLION Estimated cost to the industry.

Pivotal moment where tech industry realizes open source is: 🌏 UBIQUITOUS 2/3 of active sites on the Internet rely on the OpenSSL library. ⚠ CRITICAL OpenSSL encrypts private communications, bank transactions, medical records, etc. 💸 UNDERFUNDED Only 1 full-time maintainer, shoestring budget ($2k/year).

🔥 MAINTAINER BURNOUT Huge burden carried by maintainers and cost to their mental health. 🌊 OPENED THE FLOODGATES The community started speaking up about these issues. ♻ SUSTAINABILITY Open source sustainability took center stage. ❓ MULTIPLE RESPONSES This triggered a diverse set of response from different actors in the field.

🏭 INDUSTRY-WIDE EFFORT Organized by the Linux Foundation. Backed by tech giants. 💰 MULTI-MILLION $ FUND Administered by Linux Foundation and a steering group of industry experts. 🎯 GOAL Harden the security of key open source projects. 👓 STRICT FOCUS ON “CORE INFRA” The goal is to prevent a new Heartbleed. Not to make open source as a whole more sustainable.

🎨 FOCUS Originally aimed at artists, musicians & writers. 🌊 GOAL Create a “meaningful revenue stream.” 🏆 SUCCESS STORY Evan You (pictured), creator of Vue.js. Nets over $17K per month. ❌ REPRODUCIBLE? Not really. Very few devs have a large enough revenue stream to work on OSS full-time.

🏪 GITHUB ISSUE MARKET Allows project owners to add bounties to GitHub issues. Devs submit their work as a pull request. 💰 $500,000 Amount of bounties paid on the platform in 2018. ⛓ BLOCKCHAIN-BASED Developers received bounties in Ether. 🌳 WHOLE ECOSYSTEM GitCoin also provides an ad network (CodeFund), and a Patreon-like solution (Grants).

👩💻 CONTEXTUAL ADS Advertise on the websites of open source projects. 💼 HIRING FOCUS Dedicated solution for hiring developers. 💵 $6K PER MONTH Redistributed to project maintainers out of $10K monthly revenue.

👩💻 CONTEXTUAL ADS Advertise on the websites of open source projects. 💼 HIRING FOCUS Dedicated solution for hiring developers. 💵 $6K PER MONTH Redistributed to project maintainers out of $10K monthly revenue.

👍 ENDORSED BY CODEFUN “They have the same mission, goals, and ethics that we worked hard to achieve.” 📖 ORIGIN STORY Originated as a way to fund sustainable open source development. 🧑💻 DEVELOPER FOCUSED 100% focused on advertising to developers. 📈 1 BILLION Number of ads served since 2016.

🔍 WHAT DOES IT DO? Provides non profit status (501c6) to open source projects & transparency as to how funds are used. 🏆 SUCCESS STORY WebPack reached $400K+ yearly funding in 2018. Win-win situation for key sponsor (Trivago). 🐿 LONG TAIL PROBLEM A few projects are getting most of the funding (>25% of total funds for WebPack in 2017).

🛥 WHAT IS IT? Red Hat business model for the long tail. 🛎 SERVICES Provides security updates, maintenance, and legal assurances for all open source projects in an organization’s stack. 👨💻 HOW? By paying the actual maintainers to do the work. 🏆 SUCCESS STORY None yet. Still too early.

Limitations of addressing open source sustainability through funding alone 📡 DOES IT SCALE? Is the current level of funding realistic compared to open source ubiquity? 💵 IS MONEY EVEN WHAT’S MISSING? Are we trying to solve the right problem? 🔮 IS IT A DESIRABLE OUTCOME? Do we want a future with charity-funded open source developers on one side, and corporate developers writing “glue code” on the other? 💸 WHAT IS THE REAL VALUE OF OPEN SOURCE? Isn’t it time to look beyond the source code?

Limitations of addressing open source sustainability through funding alone 📡 DOES IT SCALE? Is the current level of funding realistic compared to open source ubiquity? 💵 IS MONEY EVEN WHAT’S MISSING? Are we trying to solve the right problem? 🔮 IS IT A DESIRABLE OUTCOME? Do we want a future with charity-funded open source developers on one side, and corporate developers writing “glue code” on the other? 💸 WHAT IS THE REAL VALUE OF OPEN SOURCE? Isn’t it time to look beyond the source code?

$100

$10,000 Monthly revenue of CodeFun.

1 million dollars • • Amount collected by Open Collective in a year. Amount Tidelift committed to pay developers.

Worldwide developer population Non-pro 4.30M Full-time Part-time 11.65M 6.35M : h t a m e p o l e v n e e h t f o k c a b k c i u Q B 0 8 7 $ = K 5 6 $ x s v e d T F M 12 B 0 1 2 $ = K 5 3 $ x s v e d T P M +6 s r a l l o d n o i l l i r t ~= 1 Source: IDC, Worldwide Developer Census, 2018.

1 million dollars • • Amount collected by Open Collective in a year. Amount Tidelift committed to pay developers.

100 million dollars 1 million dollars $10,000

1 billion dollars

10 billion dollars

1 trillion dollars

1 million dollars

Limitations of addressing open source sustainability through funding alone 📡 DOES IT SCALE? Is the current level of funding realistic compared to open source ubiquity? 💵 IS MONEY EVEN WHAT’S MISSING? Are we trying to solve the right problem? 🔮 IS IT A DESIRABLE OUTCOME? Do we want a future with charity-funded open source developers on one side, and corporate developers writing “glue code” on the other? 💸 WHAT IS THE REAL VALUE OF OPEN SOURCE? Isn’t it time to look beyond the source code?

Developers working on the Linux kernel Non employed 7.7% Employed 92.3% Source: Linux Kernel Development report 2016.

Limitations of addressing open source sustainability through funding alone 📡 DOES IT SCALE? Is the current level of funding realistic compared to open source ubiquity? 💵 IS MONEY EVEN WHAT’S MISSING? Are we trying to solve the right problem? 🔮 IS IT A DESIRABLE OUTCOME? Do we want a future with charity-funded open source developers on one side, and corporate developers writing “glue code” on the other? 💸 WHAT IS THE REAL VALUE OF OPEN SOURCE? Isn’t it time to look beyond the source code?

“[P]art of the reason much of open source is so good, and often so superior to closed-source commercial projects, is the natural boundary of constraints. If you are not being paid or otherwise compensated directly for your work, you’re less likely to needlessly embellish it. You’re solving the problems for you and your mates, likely in the simplest way you could, so you can get back to whatever you originally intended to do before starting to shave the yak.” —DHH, The Perils of mixing open source and money, Nov 12, 2013.

Limitations of addressing open source sustainability through funding alone 📡 DOES IT SCALE? Is the current level of funding realistic compared to open source ubiquity? 💵 IS MONEY EVEN WHAT’S MISSING? Are we trying to solve the right problem? 🔮 IS IT A DESIRABLE OUTCOME? Do we want a future with charity-funded open source developers on one side, and corporate developers writing “glue code” on the other? 💸 WHAT IS THE REAL VALUE OF OPEN SOURCE? Isn’t it time to look beyond the source code?

Charity-like funding alone is not the solution. Real way forward is to normalize engineers contributing to open source as part of their day job. How? Make organizations understand the ROI of contributing to open source.

Tobie Langel Principal, UnlockOpen unlockopen.com tobie@unlockopen.com Thank you!